Users are unable to access the VMware vCenter Server (VCSA) vSphere Client interface. Navigating to the UI landing page fails and displays the following exact error message:

[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server - An error occurred when processing the metadata during vCenter Single Sign-On setup - Failed to retrieve an STS client for SSO domain vsphere.local

VMware vCenter Server  8.0.x

The VMware vCenter Server certificates, including the Secure Token Service (STS) and VMware Certificate Authority (VMCA) certificates, have passed their expiration dates, causing Single Sign-On (SSO) authentication to fail completely.

1. Power off the vCenter Server Appliance (VCSA) and take a cold (offline) snapshot. This is a critical rollback requirement before modifying certificates.

2. Power on the VCSA and connect via SSH using the root account credentials.

3. Download the vcert utility to the vCenter Server Appliance and make it executable.

4. Execute the vcert utility script.

5. Select Option 6 to reset and regenerate all vCenter Server certificates.

6. Allow the script to run to completion and automatically restart the internal vCenter services.

7. Navigate to the vSphere Client URL to verify that UI access has been restored.

vCert - Scripted vCenter expired certificate replacement (385107)

vCenter displays 400 error on landing page (421793)